VYPR
High severityNVD Advisory· Published Mar 16, 2026· Updated Mar 16, 2026

Authlib Vulnerable to JWE RSA1_5 Bleichenbacher Padding Oracle

CVE-2026-28490

Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management algorithm. Authlib registers RSA1_5 in its default algorithm registry without requiring explicit opt-in, and actively destroys the constant-time Bleichenbacher mitigation that the underlying cryptography library implements correctly. This issue has been patched in version 1.6.9.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
authlibPyPI
< 1.6.91.6.9

Affected products

7

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.